Hi, how do you identify an Active Directory Domain Controller? I've the following approaches in mind: 1. Check for Service "Active Directory Domain Services" in services table, if it exists (not necessarily started) its a Domain Controller. 2. Check if sysinfo.local_hostname matches ntdomains.domain_controller_name, if there is a match, its a Domain Controller. This assumes that a DC identifies itself in ntdomains. 3. Check if specific roles are installed. Not sure how to do this with osquery. The statement for 2) looks like this and it works in my environment.

SELECT 1

WHERE EXISTS (SELECT split(nt.domain_controller_name, "\", 0) AS dc, UPPER(sys.local_hostname) AS host FROM ntdomains nt JOIN system_info sys WHERE dc = host);

Any other ideas or experiences?